Article author: bug Information source: evil octal information security teamwww.eviloctal.com to
本文 所 做 的 实验 是以 ah.js(ice Fox a variant,the attachment named"病毒 样本 .txt")as a virus sample,other js malicious code without tests. Since Kaspersky the js killing the intensity is relatively large, and furthermore, I the present machine it is installed Kaspersky, so its a small amount of additional analysis. Rookie works hard to presentable and master a lot of advise! ^-^
The conventional idea is the js coding later so that the antivirus can not find the feature code and so is not reported. The present experiments also follow this idea,so not much innovation. (Must have the innovation point,the latter part of a tips can be considered a. Oh) So the js file is split into several pieces, look at the features of the code in somewhere, and then modified. ccl can not be disassembled non-pe file, it does not fit, so everything is Manual. But for a start I did not do so, I use the escape function to this js coding,the use of the time and then unescape back,then write the code,but the test failed! (And maybe other antivirus monitor does not come out,but BA is not) Want to possible signatures also exist,so the original file each character in the ASCII read out, and then use the String. fromCharCode series is back,this certainly won't have signatures anymore,because only a string of numbers,so very proud to do so,however,very unexpected,Kabbah immediately put this file to kill!!!!
Quite by accident,did Kabbah is dynamic track? So the virus samples in the variable name is changed,be killed!! Does he live monitoring of every variable,once found that the variable has illegal content immediately killing?! Combined with the first experiment,I'm almost OK here's the thing,but the following experiment and let me accidentally:
The virus samples in the variable name is changed,then added a few intermediate variables,have been waiting to be Kabbah kill,but the card Patchett put it in the release(in the Annex 样本 直接 变形 .txt).
So re-think. [You and I like the side dishes a dish also together think about it,master Mo laugh]
Kaspersky is not so smart to go to the Live tracking of each variable,he might just embedded a script Analyzer,you can analyze a simple script coding,so more than a few experiments would have been killed as a result. Then BA is also a feature of code-driven,so, 样本 直接 变形 .txt will be released.
This idea of the direct product is:Annex,"js deformationfree kill"this stuff,because a simple encoding will not bypass the card bar,but the source code is slightly changed it can be. If the combination of the two? js deformationfree kill do. Everyone can look at his code. In the Annex there he after deformation ah. js code"生成 样本 1.js" Oh,don't happy,he was Kabbah kill,huh. But the river people would let him (the Annex has a variety of antivirus comparison)
The deformation is not enough? Then write a js modificationfree kill2 ,and finally to bypass the card bar. Based on my above ideas think of other malicious js by this tool after deformation can befree to kill, but I did not do the relevant test, but also want to see where you get to test it out, Thank you!
Write a good long-winded Ah! in! As the manuscript made touches can earn points. Huh. The following is I think a little innovation. Also in the measured pattern position to think of. Look at the attachment the js fragment BA detected, found? Oh
Still the same: the js file is split into several pieces, look at the features of the code in somewhere, and then modified. By the time of the split into several pieces after are not reported to poison, depressed, have to re-scrape, and because the feature code is open, is not detected. Haha, guessed? I put these few pieces apart to put on, and then another file in use <script src=piece1. js></script> <script src=piece2. js></script> <script src=piece3. js></script> Put them together to interesting to bypass the anti-virus to the Annex there is a description of the
Actually asp can also, include doesn't it?
Well, a very long-winded,write something when you always play posting 1 sentence 5 sentence says the spirit of the~~ay~~
asp horsefree kill? Can completely according to the above ideas. But I did not write out the corresponding tools to their own labor.~
[Personal feel of the asp of the horse harm than js big why? Oh,and so only the js the deformation is given....... js free kill, he calls the horse may not necessarilyfree killbawl~]
To prevent is antivirus Avira,the attachment is encrypted,the password is est